Dear reader, first of all I would like to point out that being a resident of Germany, I first of all describe the situation in this country. Perhaps in your country the situation is radically different.
On December 17, 2019, information about a critical vulnerability in the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway product lines, popularly known as NetScaler Gateway, was published on the Citrix Knowledge Center page. Later, the vulnerability was also found in the SD-WAN line. The vulnerability affected all product versions from 10.5 to the current 13.0 and allowed an unauthorized attacker to execute malicious code on the system, practically turning NetScaler into a platform for further attacks on the internal network.
Simultaneously with the publication of information about the vulnerability, Citrix published recommendations for reducing risk (Workaround). The complete closure of the vulnerability was promised only by the end of January 2020.
The severity of this vulnerability (CVE-2019-19781) was . According to The vulnerability affects more than 80 companies worldwide.
Possible reaction to the news
Being a responsible person, I believed that all IT professionals who have NetScaler products in their infrastructure did the following:
- immediately implemented all of the risk mitigation recommendations in article CTX267679.
- rechecked the Firewall settings in terms of allowed traffic from NetScaler towards the internal network.
- recommended that IT security administrators pay attention to "unusual" attempts to access NetScaler and, if necessary, block them. Let me remind you that NetScaler is usually located in the DMZ.
- evaluated the possibility of temporarily disconnecting NetScaler from the network, until more information about the problem is received. During the holidays before Christmas, holidays, etc., it would not be so painful. In addition, many companies have an alternative option to access via VPN.
What happened next?
Unfortunately, as it turns out, the above steps, which are the standard approach, have been ignored by the majority.
Many specialists responsible for the Citrix infrastructure learned about the vulnerability only on 13.01.2020/XNUMX/XNUMX . They found out when a huge number of systems under their responsibility were compromised. The absurdity of the situation reached the point that the exploits necessary for this could be completely .
For some reason, I thought that IT specialists read mailing lists from manufacturers, systems entrusted to them, know how to use Twitter, subscribe to leading experts in their field and must be aware of current events.
In fact, for more than three weeks, numerous Citrix customers have completely ignored the manufacturer's recommendations. And Citrix customers are almost all large and medium-sized companies in Germany, as well as almost all government agencies. First of all, the vulnerability affected state structures.
But there is something to do
Those whose systems have been compromised need a complete reinstallation, including the replacement of TSL certificates. Perhaps those Citrix customers who expected more active actions from the manufacturer in eliminating a critical vulnerability will seriously look for an alternative. We have to admit that the reaction of Citrix does not inspire optimism.
There are more questions than answers
The question arises, what did the numerous partners of Citrix, platinum and gold, do? Why did the necessary information appear on the pages of some Citrix partners only in the 3rd week of 2020? Obviously, highly paid external consultants also slept through this dangerous situation. I donβt want to offend anyone, but the partnerβs task is, first of all, to prevent problems that arise, and not to offer = sell help in eliminating them.
In fact, this situation showed the real state of affairs in the field of IT security. Both employees of the IT departments of companies and consultants of Citrix partner firms should understand one truth, if there is a vulnerability, then it must be fixed. Well, a critical vulnerability must be eliminated immediately!
Source: habr.com